Andrew Archibald discovered that the last update to squirrelmail which
was intended to fix several problems caused a regression which got
exposed when the user hits a session timeout. For completeness below
is the original advisory text:

Several vulnerabilities have been discovered in Squirrelmail, a
commonly used webmail system. The Common Vulnerabilities and
Exposures project identifies the following problems:

Grant Hollingworth discovered that under certain circumstances URL
manipulation could lead to the execution of arbitrary code with
the privileges of www-data. This problem only exists in version
1.2.6 of Squirrelmail.

For the stable distribution (woody) these problems have been fixed in
version 1.2.6-3.

For the unstable distribution (sid) the problem that affects unstable
has been fixed in version 1.4.4-1.